Forum Discussion
How to Prevent Workspace Details from Appearing in LAQueryLogs During Cross-Workspace Queries
I’ve onboarded multiple workspaces using Azure Lighthouse, and I’m running cross-workspace KQL queries using the workspace() function.
However, I’ve noticed that LAQueryLogs records the query in every referenced workspace, and the RequestContext field includes details about all other workspaces involved in the query.
Is there any way to run cross-workspace queries without having all workspace details logged in LAQueryLogs for each referenced workspace?
1 Reply
For me this is working as expected, as you need to know in the logs what has been done, however as you mention the downside is the visibility of this in the remote workspaces.
If you avoid the workspace() function you can bypass this.
By using the APIs to run the queries remotely e.g. run the query then loop through required workspaces - this will require some dev work or Postman etc... In this case you auth to each Workspace, as you go, so only one is listed in RequestContext.
You maybe able to use Advanced Hunting from withing the Microsoft Defender MTO portal (not tested this much, so maybe check as I'm not 100%)
